When it comes to long phrases used to defeat recent advances in password cracking, bigger isn't necessarily better, particularly when the phrases adhere to grammatical rules.

A team of Ph.D. and grad students at Carnegie Mellon University and the Massachusetts Institute of Technology have developed an algorithm that targets passcodes with a minimum number of 16 characters and built it into the freely available John the Ripper cracking program. The result: it was much more efficient at cracking passphrases such as "abiggerbetter password" or "thecommunistfairy" because they followed commonly used grammatical rules—in this case, ordering parts of speech in the sequence "determiner, adjective, noun." When tested against 1,434 passwords containing 16 or more characters, the grammar-aware cracker surpassed other state-of-the-art password crackers when the passcodes had grammatical structures, with 10 percent of the dataset cracked exclusively by the team’s algorithm.

The approach is significant because it comes as security experts are revising password policies to combat the growing sophistication of modern cracking techniques which make the average password weaker than ever before. A key strategy in making passwords more resilient is to use phrases that result in longer passcodes. Still, passphrases must remain memorable to the end user, so people often pick phrases or sentences. It turns out that grammatical structures dramatically narrow the possible combinations and sequences of words crackers must guess. One surprising outcome of the research is that the passphrase "Th3r3 can only b3 #1!" (with spaces removed) is one order of magnitude weaker than "Hammered asinine requirements" even though it contains more words. Better still is "My passw0rd is $uper str0ng!" because it requires significantly more tries to correctly guess.

"Underlying structures and not just the number of characters or words determine the strength of a passphrase," the researchers wrote in a research paper titled Effect of Grammar on Security of Long Passwords, which is scheduled to be presented at next month's Conference on Data and Application Security and Privacy. "Passphrase policies that do not consider this may unwittingly allow passphrases such as 'Th3r3 can only be #1!' and 'My passw0rd is $uper str0ng!' that differ in strength by three orders of magnitude."

Decreasing the search space

The scientists' novel cracking attack draws from phrase collections such as the Brown Corpus, which contains about 500 samples of English-language text, totaling about 1.1 million words. The researchers tagged the parts of speech contained in the phrases and observed the most common sequences, such as "determiner, adjective, noun" and "determiner, adjective, adjective, noun." By ordering the corpus of words included in their guesses to fit the most common sequences, crackers can vastly reduce the size of their "search space," an advance that in turn reduces the work required to find the correct phrase.

"When password values have underlying grammatical structures, it is important to understand the role of these structures in decreasing the guessing effort," the researchers wrote. "Guessing effort can be defined as the number of values an attacker has to enumerate to guess a password. Guessing effort is a function of (a) size of the password search space, which is the set of all possible unique password values and (b) distribution of password values, which depends on how users choose password values from the password search space."

If users are using certain rules more often than the others, an attacker can use this information to reduce her guessing effort. For example, if the password set contains only the tag-rule "Adjective Noun" then the attacker need not enumerate other tag-rules. Specifically, if the users are choosing weaker tag-rules more often than the stronger tag-rules, reduction in guessing effort can be higher.

There are other ways that grammatical structures help reduce search space. There are far fewer pronouns in English than verbs, fewer verbs than adjectives, and fewer adjectives than nouns. That means a password composed of “pronoun-verb-adjective-noun,” such as "Shehave3cats" is inherently easier to crack than a "noun-verb-adjective-noun" passphrase such as "Andyhave3cats". A password that incorporates more nouns would be even more secure.

Interestingly, the experiments conducted showed that John the Ripper and another freely available cracking program called Hashcat don't provide native support for combining large numbers of words contained in dictionaries of words and previously leaked passwords. However, it's possible to write rules to get around these limitations, and as passphrases become more widely used, it wouldn't be surprising to see the developers of these programs update them to support such techniques.

It's also important to remember that the cracking attacks used in the research work best against passwords that are hashed using cryptographic algorithms that are fast and computationally undemanding, such as SHA1 and MD5.

"So, yes, there are and will be smarter methods to crack passphrases, but in absolute terms their efficiency is relevant in a (large) subset of cases only," Alexander Peslyak, the principal developer behind John the Ripper wrote in an e-mail to Ars.

As Ars has repeatedly counseled, slower algorithms such as bcrypt, PBKDF2, or SHA512crypt are crucial for adequate password security. So while it may be wise to one day adapt password policies to account for grammatical rules, security professionals would do better to focus on their password storage regimen first.

This brings me to the question as to why some sites won't let you cut and paste passwords when setting up a password. This happened to me when I reset my password at PayPal the other day. Normally I'm in the habit of using Keepass to generate long passwords of at least 20 characters with special characters enabled to increase the complexity. When trying to paste a random string into the password, a message popped up saying they were blocking the pasting of passwords. In a hurry and failing to correctly enter the complex string manually a couple times, I gave up as I was pressed for time. I generated a less complex password with fewer characters and managed to not to mess it up. Now my password is less secure (but I will fix it later).

What is the point of not allowing the process of pasting passwords when setting them up? I honestly don't know.

Physhing/hacking - If I have remote access to your computer I can copy the password text out of your browser and into mine... Although I'd have to be pretty silly not to past the password into notepad first...

If I can think of that, then so can a minimum wage security admin at paypal, however they probably won't get past the "If we disable it and say it's to improve security" bit to actually seeing if it does improve security.

This brings me to the question as to why some sites won't let you cut and paste passwords when setting up a password. This happened to me when I reset my password at PayPal the other day. Normally I'm in the habit of using Keepass to generate long passwords of at least 20 characters with special characters enabled to increase the complexity. When trying to paste a random string into the password, a message popped up saying they were blocking the pasting of passwords. In a hurry and failing to correctly enter the complex string manually a couple times, I gave up as I was pressed for time. I generated a less complex password with fewer characters and managed to not to mess it up. Now my password is less secure (but I will fix it later).

What is the point of not allowing the process of pasting passwords when setting them up? I honestly don't know.

That's when you open up your browsers inspection pane, and delete the relevant javascript from the password field.

What's worse for me are sites that ignore part of your password. I know for a fact Dice (at least did) only uses the first 8 characters of your password. Anything else you type after that (even when logging in) is ignored.

That and sites that refuse to let me use special characters, spaces, etc. Being told I can't use % makes me seriously rethink my need to have an account.

Id really like to see passwords replaced by something better, but I just don't know when its going to happen. I'm particularly a fan of that system that recognizes you by how you type a sentence; that is, how quickly you go from one particular letter to the next.

I still don't know if any password will ever be good enough with the omnipresent "forgot password" link and other customer service "hacks"

Not a huge surprise .. this is just "dynamic phrase attack" as opposed to "dictionary attack" ..

If your password is a l33t sp34k random set of nouns then you should be good to go .. but then, I wouldn't expectany of the "worst passwords" (or even "vaguely bad passwords") to be used by any Ars users anyway

Id really like to see passwords replaced by something better, but I just don't know when its going to happen. I'm particularly a fan of that system that recognizes you by how you type a sentence; that is, how quickly you go from one particular letter to the next.

I still don't know if any password will ever be good enough with the omnipresent "forgot password" link and other customer service "hacks"

The best system we have now is the two factor system consisting of something you know (password) and something you possess (USB key fob/phone/etc.).

Compare a password to the lock on your front door. A door lock is easy to bypass, however, it is backed up very strongly by legal remedies. And there is a social recognition that bypassing a locked door is a criminal act, and those who break it are socially ostracized. However, the act of breaking a password has not reached this state yet.

To summarize this article, and the password strategies that arise in response to it, and indeed the next 20 years of password-strength policies: anything that makes a password memorable is exploitable. Human beings are good at many things, but dealing with high entropy strings is not one of them.

Compare a password to the lock on your front door. A door lock is easy to bypass, however, it is backed up very strongly by legal remedies. And there is a social recognition that bypassing a locked door is a criminal act, and those who break it are socially ostracized. However, the act of breaking a password has not reached this state yet.

They already are, however in real life the number of doors a would be thief can attempt to break into at a time is 1, while on the internet the number is somewhat more than 1. In the same vein, a speeding ticket given 30 years ago was penalised heavily due to the fact that you had to be caught by a police officer. These days it's penalised just as heavily, however the effort required to catch a speeder has reduced to commodity levels.

This brings me to the question as to why some sites won't let you cut and paste passwords when setting up a password. This happened to me when I reset my password at PayPal the other day. Normally I'm in the habit of using Keepass to generate long passwords of at least 20 characters with special characters enabled to increase the complexity. When trying to paste a random string into the password, a message popped up saying they were blocking the pasting of passwords. In a hurry and failing to correctly enter the complex string manually a couple times, I gave up as I was pressed for time. I generated a less complex password with fewer characters and managed to not to mess it up. Now my password is less secure (but I will fix it later).

What is the point of not allowing the process of pasting passwords when setting them up? I honestly don't know.

This brings me to the question as to why some sites won't let you cut and paste passwords when setting up a password. This happened to me when I reset my password at PayPal the other day. Normally I'm in the habit of using Keepass to generate long passwords of at least 20 characters with special characters enabled to increase the complexity. When trying to paste a random string into the password, a message popped up saying they were blocking the pasting of passwords. In a hurry and failing to correctly enter the complex string manually a couple times, I gave up as I was pressed for time. I generated a less complex password with fewer characters and managed to not to mess it up. Now my password is less secure (but I will fix it later).

What is the point of not allowing the process of pasting passwords when setting them up? I honestly don't know.

Physhing/hacking - If I have remote access to your computer I can copy the password text out of your browser and into mine... Although I'd have to be pretty silly not to past the password into notepad first...

If I can think of that, then so can a minimum wage security admin at paypal, however they probably won't get past the "If we disable it and say it's to improve security" bit to actually seeing if it does improve security.

This brings me to the question as to why some sites won't let you cut and paste passwords when setting up a password. This happened to me when I reset my password at PayPal the other day. Normally I'm in the habit of using Keepass to generate long passwords of at least 20 characters with special characters enabled to increase the complexity. When trying to paste a random string into the password, a message popped up saying they were blocking the pasting of passwords. In a hurry and failing to correctly enter the complex string manually a couple times, I gave up as I was pressed for time. I generated a less complex password with fewer characters and managed to not to mess it up. Now my password is less secure (but I will fix it later).

What is the point of not allowing the process of pasting passwords when setting them up? I honestly don't know.

That's when you open up your browsers inspection pane, and delete the relevant javascript from the password field.

What's worse for me are sites that ignore part of your password. I know for a fact Dice (at least did) only uses the first 8 characters of your password. Anything else you type after that (even when logging in) is ignored.

That and sites that refuse to let me use special characters, spaces, etc. Being told I can't use % makes me seriously rethink my need to have an account.

Compare a password to the lock on your front door. A door lock is easy to bypass, however, it is backed up very strongly by legal remedies. And there is a social recognition that bypassing a locked door is a criminal act, and those who break it are socially ostracized. However, the act of breaking a password has not reached this state yet.

If someone could bypass your locked door anonymously, from somewhere far away, with no fear of legal repercussions (or vigilante mob justice) there wouldn't be much social ostracism for doing that either. That "yet" is highly optimistic.

This brings me to the question as to why some sites won't let you cut and paste passwords when setting up a password. This happened to me when I reset my password at PayPal the other day. Normally I'm in the habit of using Keepass to generate long passwords of at least 20 characters with special characters enabled to increase the complexity. When trying to paste a random string into the password, a message popped up saying they were blocking the pasting of passwords. In a hurry and failing to correctly enter the complex string manually a couple times, I gave up as I was pressed for time. I generated a less complex password with fewer characters and managed to not to mess it up. Now my password is less secure (but I will fix it later).

What is the point of not allowing the process of pasting passwords when setting them up? I honestly don't know.

I have much the same habit, and I think the idea is to avoid people with plaintext password lists.

I think one fix would be if the keepass author tied a bit deeper into the OS with a virtual keyboard driver; Kaspersky has something along that line in their antivirus product (an on-screen keyboard). I don't know the technical feasibility, though, given that KeePass has a version or fork that supports pretty much any OS.

This brings me to the question as to why some sites won't let you cut and paste passwords when setting up a password. This happened to me when I reset my password at PayPal the other day. Normally I'm in the habit of using Keepass to generate long passwords of at least 20 characters with special characters enabled to increase the complexity. When trying to paste a random string into the password, a message popped up saying they were blocking the pasting of passwords. In a hurry and failing to correctly enter the complex string manually a couple times, I gave up as I was pressed for time. I generated a less complex password with fewer characters and managed to not to mess it up. Now my password is less secure (but I will fix it later).

What is the point of not allowing the process of pasting passwords when setting them up? I honestly don't know.

Ironically, though, PayPal lets you use cut and paste when you log into the site, and only limits it when you're entering a new password. If anything, that seems backasswards -- make it as easy as possible to make a new complex password, and encourage your users to use complex passwords, don't discourage it!

When trying to paste a random string into the password, a message popped up saying they were blocking the pasting of passwords.

That's when you open up your browsers inspection pane, and delete the relevant javascript from the password field.

Any competently-written website won't have a nice convenient 'onblur="validatePassword()"' – the code for doing that sort of thing will be buried in a separate JavaScript file somewhere, probably minified and concatenated with a bunch of other JS.

nullifi wrote:

That and sites that refuse to let me use special characters, spaces, etc. Being told I can't use % makes me seriously rethink my need to have an account.

Indeed. At the very least they should allow spaces; there's no good technical reason why they can't, just as there's no real technical reason they should limit passwords to 20 characters or whatever.

Haven't tried it on paypal (or any other site that prevents you from pasting passwords) but KeePass2 offers a feature called "auto-type" which will input username and password for you (default pattern, you can change the behaviour per item or per group)

If your password is a l33t sp34k random set of nouns then you should be good to go

I'm unsure of the rules of leet speak, but if you're simply replacing a set of alphabetic characters with their number/symbol equivalents, then the character space is exactly the same if someone designs a password cracker looking for leet speak.

So the best pass phrase to create is to use a quote and use only the nouns. If you can pepper the nouns with something that is not part of it at all, such as special characters or digits, things get even better. It is still memorable, but as strong as possible.

Geez, if we need to start using complete nonsense pass-phrases that are longer and longer, I want more secure less expensive biometrics! Then go ahead and make my password hundreds of random characters.

I’ve been wondering, to what extent does using passwords in a non-English language protect you from such attacks? Are dictionaries in foreign languages as well made or as well distributed? Is it easy to customize a password cracking tool to adapt to a new language?

I’ve been wondering about these questions while reading such articles ^ ^.

For anything that requires actual personal information, I use words from one language, grammar from another, and numbers and special characters mixed in. It's worked so far, but now I'm curious how well it would actually work against a concerted attack. I need to actually remember my password, so random sprays of characters will never work for me.

Id really like to see passwords replaced by something better, but I just don't know when its going to happen. I'm particularly a fan of that system that recognizes you by how you type a sentence; that is, how quickly you go from one particular letter to the next.

I still don't know if any password will ever be good enough with the omnipresent "forgot password" link and other customer service "hacks"

I have used ascii code for passwords for a while now on systems that permit it. I use a variation of 1337 speak and ebonics on systems that do not. Both allow for very strong and funny passwords.

But lets get real here. There isn't anything you can really do to stop someone from gaining unauthorized access to your account. The most you can do is make it difficult to the point that it's not really worth the effort. Any security measure you can think of can and will be compromised by someone with the will and the time to do so.